Internet Security

Privacy complaints received by tech giants’ favorite EU watchdog up more than 2x since GDPR

A report by the lead data watchdog for a large number of tech giants operating in Europe shows a significant increase in privacy complaints and data breach notifications since the region’s updated privacy framework came into force last May. The Irish Data Protection Commission (DPC)’s annual report, published today, covers the period May 25, aka…


A report by the lead data watchdog for a large number of tech giants operating in Europe shows a significant increase in privacy complaints and data breach notifications since the region’s updated privacy framework came into force last May.

The Irish Data Protection Commission (DPC)’s annual report, published today, covers the period May 25, aka the day the EU’s General Data Protection Regulation (GDPR) came into force, to December 31 2018 and shows the DPC received more than double the amount of complaints post-GDPR vs the first portion of 2018 prior to the new regime coming in: With 2,864 and 1,249 complaints received respectively.

That makes a total of 4,113 complaints for full year 2018 (vs just 2,642 for 2017). Which is a year on year increase of 36 per cent.

But the increase pre- and post-GDPR is even greater — 56 per cent — suggesting the regulation is working as intended by building momentum and support for individuals to exercise their fundamental rights.

“The phenomenon that is the [GDPR] has demonstrated one thing above all else: people’s interest in and appetite for understanding and controlling use of their personal data is anything but a reflection of apathy and fatalism,” writes Helen Dixon,Ireland’s commissioner for data protection.

She adds that the rise in the number of complaints and queries to DPAs across the EU since May 25 demonstrates “a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data”.

While Europe has had online privacy rules since 1995 a weak regime of enforcement essentially allowed them to be ignored for decades — and Internet companies to grab and exploit web users’ data without full regard and respect for European’s privacy rights.

But regulators hit the reset button last year. And Ireland’s data watchdog is an especially interesting agency to watch if you’re interested in assessing how GDPR is working, given how many tech giants have chosen to place their international data flows under the Irish DPC’s supervision.

More cross-border complaints

“The role places an important duty on the DPC to safeguard the data protection rights of hundreds of millions of individuals across the EU, a duty that the GDPR requires the DPC to fulfil in cooperation with other supervisory authorities,” the DPC writes in the report, discussing its role of supervisory authority for multiple tech multinationals and acknowledging both a “greatly expanded role under the GDPR” and a “significantly increased workload”.

A breakdown of GDPR vs Data Protection Act 1998 complaint types over the report period suggests complaints targeted at multinational entities have leapt up under the new DP regime.

For some complaint types the old rules resulted in just 2 per cent of complaints being targeted at multinationals vs close to a quarter (22 per cent) in the same categories under GDPR.

It’s the most marked difference between the old rules and the new — underlining the DPC’s expanded workload in acting as a hub (and often lead supervisory agency) for cross-border complaints under GDPR’s one-stop shop mechanism.

The category with the largest proportions of complaints under GDPR over the report period was access rights (30%) — with the DPC receiving a full 582 complaints related to people feeling they’re not getting their due data. Access rights was also most complained about under the prior data rules over this period.

Other prominent complaint types continue to be unfair processing of data (285 GDPR complaints vs 178 under the DPA); disclosure (217 vs 138); and electronic direct marketing (111 vs 36).

EU policymakers’ intent with GDPR is to redress the imbalance of weakly enforced rights — including by creating new opportunities for enforcement via a regime of supersized fines. (GDPR allows for penalties as high as up to 4 per cent of annual turnover, and in January the French data watchdog slapped Google with a $57M GDPR penalty related to transparency and consent — albeit still far off that theoretical maximum.)

Importantly, the regulation also introduced a collective redress option which has been adopted by some EU Member States.

This allows for third party organizations such as consumer rights groups to lodge data protection complaints on individuals’ behalf. The provision has led to a number of strategic complaints being filed by organized experts since last May (including in the case of the aforementioned Google fine) — spinning up momentum for collective consumer action to counter rights erosion. Again that’s important in a complex area that remains difficult for consumers to navigate without expert help.

For upheld complaints the GDPR ‘nuclear option’ is not fines though; it’s the ability for data protection agencies to order data controllers to stop processing data.

That remains the most significant tool in the regulatory toolbox. And depending on the outcome of various ongoing strategic GDPR complaints it could prove hugely significant in reshaping what data experts believe are systematic privacy incursions by adtech platform giants.

And while well-resourced tech giants may be able to factor in even very meaty financial penalties, as just a cost of doing a very lucrative business, data-focused business models could be far more precarious if processors can suddenly be slapped with an order to limit or even cease processing data. (As indeed Facebook’s business just has in German

Read More

Be the first to write a comment.

Leave a Reply

Internet Security

Twitter admits it used two-factor phone numbers and emails for serving targeted ads

Twitter has said it used phone numbers and email addresses, provided by users to set up two-factor authentication on their accounts, to serve targeted ads. In a disclosure Tuesday, the social media giant said it did not know how many users were impacted. The issue stemmed from the company’s tailored audiences program, which allows companies…


Twitterhas said it used phone numbers and email addresses, provided by users to set up two-factor authentication on their accounts, to serve targeted ads.

In a disclosure Tuesday, the social media giant said it did not know how many users were impacted.

The issue stemmed from the company’s tailored audiences program, which allows companies to target advertisements against their own marketing lists, such as phone numbers and email addresses. But Twitter found that when advertisers uploaded their marketing lists, it matched Twitter users to the phone numbers and email addresses users submitted to set up two-factor authentication on their account.

The issue was addressed as of September 17, the disclosure said.

Two-factor authentication is an important security feature that makes it far more difficult for hac

Read More

Continue Reading
Internet Security

Messaging app Kik shuts down as company focuses on Kin, its cryptocurrency

Updated with comment from Kik Kik Interactive CEO Ted Livingston announced today that the company is shutting down Kik Messenger to focus on its cryptocurrency Kin, the target of a lawsuit filed by the Securities and Exchange Commission. The company’s team will be reduced to 19 people, a reduction that will affect more than 100…


Updated with comment from Kik

KikInteractive CEO Ted Livingston announced today that the company is shutting down Kik Messenger to focus on its cryptocurrency Kin, the target of a lawsuit filed by the Securities and Exchange Commission. The company’s team will be reduced to 19 people, a reduction that will affect more than 100 employees, as it focuses on converting more Kin users into buyers.

“Instead of selling some of our Kin into the limited liquidity that exists today, we made the decision to focus our current resources on the few things that matter most,” Livingston wrote in a blog post, adding that the changes will reduce the company’s burn rate by 85%, enabling it to get through the SEC trial.

In an email to TechCrunch, a company spokesperson said “We can confirm that the Kik Messenge

Read More

Continue Reading
Internet Security

This game uses troll tactics to teach critical thinking

The best medicine against online disinformation is an informed society that’s thinking critically. The problem is there are no shortcuts to universal education. Enter Finnish Public Broadcasting Company, Yle, which is hoping to harness the engagement power of gamification to accelerate awareness and understanding of troll tactics and help more people spot malicious internet fakes.…


The best medicine against online disinformation is an informed society that’s thinking critically. The problem is there are no shortcuts to universal education.

Enter Finnish Public Broadcasting Company, Yle,which is hoping to harness the engagement power of gamification to accelerate awareness and understanding of troll tactics and help more people spot malicious internet fakes. It has put together an online game, called Troll Factory, that lets you play at being, well, a hateful troll. Literally.

The game begins with a trigger warning that it uses “authentic social media content” that viewers may find disturbing. If you continue to play you’ll see examples of Islamophobic slogans and memes that have actually been spread on social media. So the trigger warning is definitely merited.

The game itself takes the form of a messaging app style conversation on a virtual smartphone in which you are tasked by the troll factory boss to whip up anti-immigrant sentiment. You do this by making choices about which messages to post online and the methods used to amplify distribution.

Online disinformation tactics intended to polarize public discourse which are depicted i

Read More

Continue Reading
Internet Security

Police hijack a botnet and remotely kill 850,000 malware infections

In a rare feat, French police have hijacked and neutralized a massive cryptocurrency mining botnet controlling close to a million infected computers. The notorious Retadup malware infects computers and starts mining cryptocurrency by sapping power from a computer’s processor. Although the malware was used to generate money, the malware operators easily could have run other…


In a rare feat, French police have hijacked and neutralized a massive cryptocurrency mining botnet controlling close to a million infected computers.

The notorious Retadup malware infects computers and starts mining cryptocurrency by sapping power from a computer’s processor. Although the malware was used to generate money, the malware operators easily could have run other malicious code, like spyware or ransomware. The malware also has wormable properties, allowing it to spread from computer to computer.

Since its first appearance, the cryptocurrency mining malware has spread across the world, including the U.S., Russia, and Central and South America.

According to a blog post announcing the bust, security firm Avast confirmed the operation was successful.

The security firm got involved after it discovered a design flaw in the malware’s command and control server. That flaw, if properly exploited, would have “allowed us to remove the malware from its victims’ computers” without pushing any code to victims’ computers, the researchers said.

The exploi

Read More

Continue Reading